Lock Me Down | Security for the Everyday Developer Max McCarty

Story: DDoS History as a Cyber Weapon

Like so many advancements in human history, they often have a tendency to be used for more than what the originator had conceived.  The internet provides a vast amount of various beneficial services. Yet, those same services are often besieged by those that weld the collective power of the internet to conduct distributed denial of service attacks.  In this story, we look at the DDoS history and its impact as a cyber weapon.

For over the past 60 years, we have seen numerous movies showcase the idea of a weapon weld the ability to flash an invisible wave of power that could knock some opposition’s computer or electronic system offline. Sometimes it’s in the form of a futuristic pistol generating pulses or a kill switch as in the ship Nebuchadnezzar in the movie Matrix.

Back to earth, we have seen this force in reality starting with the nuclear bomb test blasts that the U.S. has recorded for half century.  The electromagnetic pulse effect of such detonations in the megatons at various altitudes have shown to have a powerful effect.  As we’ll see in the podcast, ramifications from those nuclear blast tests have been felt at places like Hawaii where businesses and services have been knocked offline.

In all of these examples, the results are the form of a denial of service.  Where a service has been rendered unavailable. With the collective nature of the internet, we have seen the effective power of forcing a network, site or service offline due to denial of service attacks.  This is especially evident when the attacking power is distributed over numerous computer resources such as we seen provided by the botnets formed from the Zeus Trojan.

 

In this first part, we’ll examine DDoS history (distributed denial of service) and its role that it has played over the last two and half decades. From the origins of nothing more than juvenile uses to take over chat networks to military weapons used to take down entire nations. Like the cyber weapon we saw in the story on Stuxnet, DDoS attacks have shown to be a viable private and state-level weapons used to for extortion, smoke screens or military pre-strike attacks.

 

Fabulous Failure

In natural for most people and society to hear about the benefits of an education.  In this fabulous failure we’re here about the story of hackers how have managed to circumvent the network of the Central Bank of Bangladesh. But despite holding all the chips, education or possibly a lack of, causes them to loose out on $700 million.

Story: DDoS History as a Cyber Weapon

Like so many advancements in human history, they often have a tendency to be used for more than what the originator had conceived.  The internet provides a vast amount of various beneficial services. Yet, those same services are often besieged by those that weld the collective power of the internet to conduct distributed denial of service attacks.  In this story, we look at the DDoS history and its impact as a cyber weapon.

For over the past 60 years, we have seen numerous movies showcase the idea of a weapon weld the ability to flash an invisible wave of power that could knock some opposition’s computer or electronic system offline. Sometimes it’s in the form of a futuristic pistol generating pulses or a kill switch as in the ship Nebuchadnezzar in the movie Matrix.

Back to earth, we have seen this force in reality starting with the nuclear bomb test blasts that the U.S.

STORY: The Business Club and the Zeus Trojan

So You Want to Be a Gangster?

Whether you hail from the old school shows like Dragnet, or something more recent like The Saprano’s, theres a reason why those shows did so well and attracted long time loyal audiences – its exciting and daring and a life not known by the everyday person like myself.  The Hollywood picture of organized crime is painted in a colorful brush, one that’s quite different than the true story behind many of history’s timeline of criminal families, bosses and the crews we have read about.  Such as the story behind the organized crime syndicate using the Zeus trojan.

 

But organized crime of the digital age has a new face a new hustle, one that is moving at breakneck speed and causing record breaking cost to businesses.  In this show, were going to hear about one of those organization, one that has lasted, for over a decade.

 





 





“The Business Club” is an organization that ran the highly successful and unprecedented “Gameover ZeuS” network.  Named after the original ZeuS trojan.  It was a highly skilled and organized crew who comprised of a number of key core members and extended faction crews, not unlike any criminal organization of the 20th and 21st century.

 

Various criminal organization around the world that engage in any number of illegal vices such as arms and arms trafficking, racketeering and money laundering, rely on various skills of their members or extended crews to turn a profit.   The Business Club members were known for various skills that directly contributed to their multi-million dollar enterprise.  Whether that consisted of writing the malware, hackers for distribution or organizing money mules, each played a role in its success.









 



 





Lead by a Russian Evigeniy Mikhailovich Bogachev, the crew would compromise the computers of various nations around the world for years. Originally developed by Bogachev, the Gameover Zeus network was a highly sophisticated network of botnets and command and control servers.







 



 





But undermining the bank accounts of  individuals and corporations wasn’t the only use of this system.  There was another sinister operation at hand, one that might trace back to a political and state sponsored motivation.  Listen to show and get the full story on who was “The Business Club”.



Sources









http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/

http://cybersecurityventures.com/cybersecurity-market-report/



http://www.businessinsider.com/flashpoint-report-ransomware-2016-6



https://zeustracker.abuse.ch/faq.php





http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html



https://www.justice.gov/iso/opa/resources/2162014411104532407242.pdf

https://www.fox-it.

Story: The Story of Stuxnet [01:40]

In June 2010, a infected computer was discovered with a unknown strain of malware would end up kicking off a year long investigation that redefined the term cyber warfare.   While many of the anti-virus and security communities opted for sidelining research on the newly discovered malware dubbed Stuxnet by Microsoft, there were a handful of small and enterprise groups that would relentlessly chase the answers to the malware’s unprecedented mysteries.  Mysteries that would include nuclear weapons, assassinations and nation-state endorsed military offensives before it was all said and done.

At the end of 2009, the International Atomic Energy Association (IAEA) would discover that the Iranian uranium enrichment facility at Natanz Iran was loosing an unprecedented amount of centrifuges with in a short number of months.  Centrifuges are a key component device in the the facilities ability to produce highly enriched uranium, now believed to be for the end goal of developing nuclear weapons.  Loosing an enormous amount of centrifuges would highly impact the country’s nuclear program and their ability to produce enriched uranium. After months of a steady increase in the facilities operational centrifuges and produced enriched uranium, was this sudden down turn a product of scientific malfunction or was it sabotage?

If it was sabotage, there was only one problem.  The facility at Natanz was disconnected from the outside world.

In military history, the sabotage of a strategic location would require ground forces at the target location.  This is the story about a new covert military operation never seen before.  A new cyber weapon, that once launched, could achieve the same physical sabotage and destruction without the intervention of a military force.

The Burning Question [56:20]

This episodes burning questions is about avoiding improper implementations of HTTP Strict Transport Security (HSTS).

I’ve talked extensively before about implementing HSTS in your web application.  But the problem that I see out in the wild when it comes to HSTS is implementation details that could make all the difference to the level of benefit it adds to your application.

Transparency can have a benefit where it applies, such as knowing what a non-profit organization does with your donation, or certain government processes can be.  But, transparency has no place when it comes implementing HSTS. However, it is quite common to find a web application announce its HSTS details over unsecured HTTP.

What does this mean and whats the big deal?  The whole benefit of HSTS is to reduce the surface area of a man-in-the-middle attack by possibly reducing the number of HTTP request to your web application.  It does this by allowing the browser to intercept insecure HTTP requests to your site and instead send the request over HTTPS.  But in order for the browser to do that, your site does have to notify the browser about its HSTS policy.

However, if you’re HSTS policy never makes it to the browser, then the typical redirect song and dance will commence with each insecure HTTP request being vulnerable to a man-in-the-middle attack for the user.   How would it not make it to the user?  Through a man-in-the-middle scenario.  Any attacker who sees the policy being issued can subsequently remove it.  Leaving your browser none-the-wiser.

Therefore, in this episode we talk about when to provide the browser with your  sites HSTS policy as well as what kind of redirect should be issued when it comes to HSTS.

Fabulous Failure [01:02:27]

It’s quite common place for hackers to ridicule a target for their poor security implementation after...

Dave Rael is a dedicated father and husband and a seasoned software professional. He specializes in building distributed systems and understanding problem domains, especially via Domain-Driven Design and Behavior-Driven Development. Outside work, he’s usually playing with kids, playing basketball, lifting weights, coaching youth sports, and enjoying dirty jokes. He blogs at optimizedprogrammer.com about writing software and getting the most out of life and is the host of the Developer on Fire podcast at developeronfire.com, where he extracts inspiring stories from successful software geeks.

Dave is the voice behind the popular Developer on Fire podcast, but he is also a seasoned developer, and just like you and I, he’s down in the trenches.  He’s learned a lot about software security over the years and his experience and journey has been similar to a lot of developers.  In this interview, we get to learn some of Dave’s thoughts, experience, revelations and tips on developing secure applications.

Below are some highlight points of the interview:

[Interview]

 

(00:02:30) A bit about Dave.

(00:12:00) Eye opening Threats.

(00:14:50) Updates, Updates, Updates.

(00:25:00) Bolted on or Baked in?

(00:30:00) Hardest part about writing secure software

(00:32:00) Dave’s security recommendations for leaders



* BEEF Browser exploitation framework



 

I Need You: If you like the show, help me out and leave a review for the podcast on iTunes but also in Stitcher and don’t forget to check out other Lock Me Down podcast shows.

Dave Rael is a dedicated father and husband and a seasoned software professional. He specializes in building distributed systems and understanding problem domains, especially via Domain-Driven Design and Behavior-Driven Development. Outside work, he’s usually playing with kids, playing basketball, lifting weights, coaching youth sports, and enjoying dirty jokes. He blogs at optimizedprogrammer.com about writing software and getting the most out of life and is the host of the Developer on Fire podcast at developeronfire.com, where he extracts inspiring stories from successful software geeks.

Dave is the voice behind the popular Developer on Fire podcast, but he is also a seasoned developer, and just like you and I, he’s down in the trenches.  He’s learned a lot about software security over the years and his experience and journey has been similar to a lot of developers.  In this interview, we get to learn some of Dave’s thoughts, experience, revelations and tips on developing secure applications.

Below are some highlight points of the interview:

[Interview]

 

(00:02:30) A bit about Dave.

(00:12:00) Eye opening Threats.

(00:14:50) Updates, Updates, Updates.

(00:25:00) Bolted on or Baked in?

(00:30:00) Hardest part about writing secure software

(00:32:00) Dave’s security recommendations for leaders



* BEEF Browser exploitation framework



 

I Need You: If you like the show, help me out and leave a review for the podcast on a href="https://itunes.apple.

We all have our favorite stories of adventures whether on the big screen or a novel that we just can't put down. Today I have a story about someone you might have heard of, he's an author, speaker, computer security expert. But he hasn't always been. Known as one of the forefathers of hacking, who was on the run from the authorities for a number of years, evading the law, accumulating hacking trophies, he was, the notorious hacker.



We'll also talk briefly on handling password resets in your app and finally a Fabulous failure that we'll make you question all your software.



Show Notes: http://lockmedown.com/the-notorious-hacker

You know those mysteries you might have read about, you know, those ones you couldn't put down. We'll I am glad you joined, because today, I have a mystery that you might know about, you might even have been part of, an unsolved mystery that is known as black Wednesday.



We'll also talk about that security risk with the wacky acronym (XSS) cross-site scripting. And with all the news about hacker ransom ultimatums, we'll they had to have inspiration from somewhere, we'll hear about how one mobile company feed the trolls. Get the show notes @ http://lockmedown.com/black-wednesday